To read the full version of this content please select one of the options below:

Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor

Andrew Stewart (Seattle, Washington, USA)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 5 October 2012

1004

Abstract

Purpose

The purpose of this paper is to investigate the optimality of various strategies for spending on information security. Being able to understand the strengths and weaknesses of spending strategies is useful to organizations.

Design/methodology/approach

The author's analysis begins with a whole‐systems view of the security spending decision that encompasses people, technology, and economics and a taxonomy of justifications is presented for spending on information security. Each justification within the taxonomy is discussed, with that analysis used to examine the apparent rationality of a number of common spending strategies. A model is constructed that can be used in a practical manner to enable an organization to select a rational approach to spending on information security.

Findings

The author describes two spending strategies intended to be simple and straightforward for an organization to employ in a practical manner. These strategies account for a number of weaknesses in common justifications for spending on information security. They also take into consideration the observation that a number of pressures push companies towards inefficiency in their spending.

Originality/value

When faced with budgeting decisions, managers are bound by fiduciary duty to identify those investments that will maximize shareholder value. As such, decisions about spending must be carefully considered and evaluated in rational economic terms. This paper provides useful thinking on this important topic.

Keywords

Citation

Stewart, A. (2012), "Can spending on information security be justified? Evaluating the security spending decision from the perspective of a rational actor", Information Management & Computer Security, Vol. 20 No. 4, pp. 312-326. https://doi.org/10.1108/09685221211267675

Publisher

:

Emerald Group Publishing Limited

Copyright © 2012, Emerald Group Publishing Limited

Related articles